Chore/dependabot wave1#35
Merged
Merged
Conversation
Same-major version bumps that resolve Dependabot alerts without any breaking-change risk. minimatch is deliberately deferred (it intersects active code-indexer work); astro 5→6, nitro, wrangler, and the @astrojs/cloudflare 13.x major are deferred to a later wave. - turbo 2.8.13 → 2.9.14 (medium) - @astrojs/cloudflare 12.6.3 → 12.6.6 (clears the high <12.6.6 advisory; the 13.1.10 low is left for the astro-6 wave) - @hey-api/openapi-ts 0.90.10 → 0.97.3 (medium, dev) - @babel/core 7.28.4 → 7.29.6 (low, dev) Lockfile regenerated; turbo/openapi-ts run at the new versions and all four resolve in bun.lock. No source changes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Clears all 16 dompurify Dependabot alerts (15 medium + 1 low). They
persisted because the root workspaces.catalog and packages/ui both pinned
3.3.1, below the 3.4.11 that covers every advisory upper bound
(<=3.4.10 → 3.4.11 is the highest). Bumped both pins together.
3.3 → 3.4 is a minor with security hardening, no API breaks. The only
consumer (packages/ui markdown.tsx) uses stable surface only —
isSupported, addHook("afterSanitizeAttributes"), sanitize(html, config)
with USE_PROFILES/FORBID_TAGS/ADD_TAGS — all unchanged in 3.4.
Verified: dompurify resolves to a single 3.4.11 in bun.lock; ui typecheck
clean; API surface intact. No source changes.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
deepagent-ai
added a commit
that referenced
this pull request
Jul 9, 2026
Chore/dependabot wave1 (#35)
|
This PR doesn't fully meet our contributing guidelines and PR template. What needs to be fixed:
Please edit this PR description to address the above within 2 hours, or it will be automatically closed. If you believe this was flagged incorrectly, please let a maintainer know. |
|
Hey! Your PR title Please update it to start with one of:
Where See CONTRIBUTING.md for details. |
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue for this PR
Closes #
Type of change
What does this PR do?
Please provide a description of the issue, the changes you made to fix it, and why they work. It is expected that you understand why your changes work and if you do not understand why at least say as much so a maintainer knows how much to value the PR.
If you paste a large clearly AI generated description here your PR may be IGNORED or CLOSED!
How did you verify your code works?
Screenshots / recordings
If this is a UI change, please include a screenshot or recording.
Checklist
If you do not follow this template your PR will be automatically rejected.